practice breaking things
The application uses Passkey-based 2FA. The server's verification logic has a critical flaw. Bypass the passkey step without an authenticator.
Start labThe server verifies the signature this time. But does it know who it's talking to?
Coming soon